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DETAILED ACTION 

This office action is in response to Applicant's Remarks and Amendments filed 
July 27, 2006. 

Claims 1 and 4 are amended. 
Claims 1-24 are herein considered. 

Response to Arguments 

Applicant's arguments with respect to the Examiner's incorporation of PCT 
Patent Application Publication No. WO 97/26734 within Kraemer et al. (U.S. Patent No. 
5,798,706) have been fully considered and are persuasive. Therefore, the rejection has 
been withdrawn. However, upon further consideration, a new ground(s) of rejection is 
made in view of PCT Patent Application Publication No. W097/26734. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1-24 are rejected under 35 U.S.C. 103(a) as being unpatentable over 

Kraemer et al. (U.S. Patent No. 5,798,706), and further in view of International 

Patent Application Publication No. WO 97/26734. 
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As per Claim 1, Kraemer et al. discloses an apparatus for detecting adversarial 
activity on a network, comprising a memory adapted to store a host table (see col. 3 
lines 46-60); a key exchanger; a translator adapted to translate predetermined portions 
of packet header information of a data packet, wherein the predetermined portions 
include an address (see col.4 lines 33-46); a mapping device adapted to map the 
address to the host table (see col.3 line 60 thru col.4 line 2); a host resolution device 
adapted to issue a request to the network to resolve the address when the address 
does not match an entry in the host table and to supplement the host table with the 
address upon receipt of a reply to the request that indicates that the address is valid 
(col.4 lines 33-52); and an actuator adapted to trigger a security device when the 
address does not match an entry in the host table (see col.4 lines 3-5 and 20-32). 

Kraemer fails to specifically mention a key exchanger adapted to derive a cipher 
key and a translator adapted to translate predetermined portions of packet header 
information of a data packet according to a cipher algorithm keyed by the cipher key. 

WO 97/26734 teaches a key exchanger adapted to derive a cipher key (page 2) 
and a translator adapted to translate predetermined portions of packet header 
information of a data packet according to a cipher algorithm keyed by the cipher key 
(page 2). 

It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to include within the Kraemer system a key exchanger adapted to 
derive a cipher key and a translator adapted to translate predetermined portions of 
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packet header information of a data packet according to a cipher algorithm keyed by the 
cipher key as described in WO 97/26734 to provide enhanced security capabilities. 

As per Claim 2, the combination of Kraemer and WO 97/26734 discloses an 
apparatus as set forth in Claim 1, wherein the security device is a logging device 
adapted to log the data packet (see Kraemer col.4 lines 3-5 and 26-31). 

As per Claim 3, the combination of Kraemer and WO 97/26734 discloses an 
apparatus as set forth in Claim 1 , wherein the security device is adapted to signal an 
alarm when triggered (see Kraemer col.2 lines 27-31 and col.4 lines 20-25). 

As per Claim 4, the combination of Kraemer and WO 97/26734 discloses an 
apparatus as set forth in Claim 1 , further comprising a host resolution device adapted to 
derive the host table using an address resolution protocol (see Kraemer col.4 lines 48- 
52). 

As per Claim 5, the combination of Kraemer and WO 97/26734 discloses an 
apparatus as set forth in Claim 1 , further comprising a network device adapted to place 
the data packet onto a network when the address maps to the host table (Kraemer col.1 
line 66 through col.2 line 9 and col.2 lines 27-31). 

As per Claim 6, Kraemer et al. discloses a method for detecting adversarial 
activity on network, comprising storing a host table (see col. 3 lines 46-60); deriving a 
key; translating predetermined portions of packet header information of a data packet, 
wherein the predetermined portions include an address (see col.4 lines 33-46); mapping 
the address the host table (see col.3 line 60 thru col.4 line 2); issuing a request to the 
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network to resolve the address when the address does not match an entry in the host 
table and supplementing the host table with the address upon receipt of a reply to the 
request that indicates that the address is valid (col.4 lines 33-52); and triggering a 
security device when the address does not match an entry in the host table (see col.4 
lines 3-5 and 20-32). 

Kraemer fails to specifically mention a key exchanger adapted to derive a cipher 
key and a translator adapted to translate predetermined portions of packet header 
information of a data packet according to a cipher algorithm keyed by the cipher key. 

WO 97/26734 teaches a key exchanger adapted to derive a cipher key (page 2) 
and a translator adapted to translate predetermined portions of packet header 
information of a data packet according to a cipher algorithm keyed by the cipher key 
(page 2). 

It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to include within the Kraemer system a key exchanger adapted to 
derive a cipher key and a translator adapted to translate predetermined portions of 
packet header information of a data packet according to a cipher algorithm keyed by the 
cipher key as described in WO 97/26734 to provide enhanced security capabilities. 

As per Claim 7, the combination of Kraemer and WO 97/26734 discloses a 
method as set forth in Claim 6, further comprising logging the data packet when the 
address does not match an entry in the host table (see Kraemer col.4 lines 3-5 and 26- 
31). 
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As per Claim 8, the combination of Kraemer and WO 97/26734 discloses a 
method as set forth in Claim 6, further comprising signaling an alarm when the security 
device is triggered (see Kraemer col. 2 lines 27-31 and col.4 lines 20-25). 

As per Claim 9, the combination of Kraemer and WO 97/26734 discloses a 
method as set forth in Claim 6, further comprising deriving the host table using an 
address resolution protocol (see Kraemer col.4 lines 48-52). 

As per Claim 10, the combination of Kraemer and WO 97/26734 discloses a 
method as set forth in Claim 6, further comprising placing the data packet onto a 
network when the address maps to the host table (see Kraemer col.4 lines 3-5 and 26- 
31). 

As per Claim 11, Kraemer et al. discloses a device for detecting adversarial 
activity on a network, comprising means for storing a host table (see col. 3 lines 46-60); 
means for deriving a key; means for translating predetermined portions of header 
information of a data packet, wherein the predetermined portions include an address 
(see col.4 lines 33-46); means for mapping the address to the host table (see col.3 line 
60 thru col.4 line 2); means for issuing a request to the network to resolve the address 
when the address does not match an entry in the host table and supplementing the host 
table with the address upon receipt of a reply to the request that indicates that the 
address is valid (col.4 lines 33-52); and means for triggering a security device when the 
address does not match an entry in the host table (see col.4 lines 3-5 and 20-32). 
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Kraemer fails to specifically mention means to derive a cipher key and means to 
translate predetermined portions of packet header information of a data packet 
according to a cipher algorithm keyed by the cipher key. 

WO 97/26734 teaches the means to derive a cipher key (page 2) and the means 
to translate predetermined portions of packet header information of a data packet 
according to a cipher algorithm keyed by the cipher key (page 2). 

It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to include within the Kraemer system the means to derive a cipher 
key and the means translate predetermined portions of packet header information of a 
data packet according to a cipher algorithm keyed by the cipher key as described in WO 
97/26734 to provide enhanced security capabilities. 

As per Claim 12, the combination of Kraemer and WO 97/26734 discloses a 
device as set forth in Claim 1 1 , further comprising means for logging the data packet 
when the address does not match an entry in the host table (see Kraemer col.4 lines 3- 
5 and 26-31). 

As per Claim 13, the combination of Kraemer and WO 97/26734 discloses a 
device as set forth in Claim 1 1 , further comprising means for signaling an alarm when 
the security device is triggered (see Kraemer col. 2 lines 27-31 and col.4 lines 20-25). 

As per Claim 14, the combination of Kraemer and WO 97/26734 discloses a 
device as set forth in Claim 1 1 , further comprising means for deriving the host table 
using an address resolution protocol (see Kraemer col.4 lines 48-52). 



Application/Control Number: 09/928,133 Page 8 

Art Unit: 2137 

As per Claim 15, the combination of Kraemer and WO 97/26734 discloses a 
device as set forth in Claim 1 1 , further comprising means for placing the data packet 
network when the address maps to the host table (see Kraemer col.4 lines 3-5 and 26- 
31). 

As per Claim 16, Kramer et al. discloses a bastion host adapted for processing 
packet header information of a data packet, the bastion host being operable to store a 
host table (see col. 3 lines 46-60) derive a key; translate predetermined portions of 
packet header information of a data packet, wherein the predetermined portions include 
an address (see col.4 lines 33-46); map the address to the host table (see col. 3 line 60 
thru col.4 line 2); issuing a request to the network to resolve the address when the 
address does not match an entry in the host table and supplementing the host table with 
the address upon receipt of a reply to the request that indicates that the address is valid 
(col.4 lines 33-52); and trigger a security device when the address does not match an 
entry in the host table (see col.4 lines 3-5 and 20-32). 

Kraemer fails to specifically mention deriving a cipher key and translating 
predetermined portions of packet header information of a data packet according to a 
Cipher algorithm keyed by the cipher key. 

WO 97/26734 teaches deriving a cipher key (page 2) and translating 
predetermined portions of packet header information of a data packet according to a 
cipher algorithm keyed by the cipher key (page 2). 
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It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to include within the Kraemer system the means to derive a cipher 
key and the means translate predetermined portions of packet header information of a 
data packet according to a cipher algorithm keyed by the cipher key as described in WO 
97/26734 to provide enhanced security capabilities. 

As per Claim 17, the combination of Kraemer and WO 97/26734 discloses the 
bastion host as set forth in Claim 16, the bastion host being further operable to log the 
data packet when the address does not match an entry in the host table (see Kraemer 
col.4 lines 3-5 and 26-31). 

As per Claim 18, the combination of Kraemer and WO 97/26734 discloses the 
bastion host as set forth in Claim 16, the bastion host being further operable to signal an 
alarm when the security device is triggered (see Kraemer col. 2 lines 27-31 and col.4 
lines 20-25). 

As per Claim 19, the combination of Kraemer and WO 97/26734 discloses the 
bastion host as set forth in Claim 16, the bastion host being further operable to derive 
the host table using an address resolution protocol (see Kraemer col.4 lines 48-52). 

As per Claim 20, the combination of Kraemer and WO 97/26734 discloses the 
bastion host as set forth in Claim 16, the bastion host being further operable to place 
the data packet onto a network when the address maps to the host table (see Kraemer 
col.4 lines 3-5 and 26-31). 

As per Claim 21, the combination of Kraemer and WO 97/26734 discloses the 
apparatus as set forth in Claim 1 , wherein said key exchanger is further adapted to 
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repeatedly derive a cipher key with the cipher key derived by said key exchanger over 
time (see WO 97/26734 page 8 lines 10-15, and page 11 line 31 thru page 13 line 5). 

As per Claim 22, the combination of Kraemer and WO 97/26734 discloses the 
method as set forth in Claim 6, wherein deriving the cipher key comprises repeatedly 
deriving a cipher key such that the resulting cipher key changes over time (see WO 
97/26734 page 8 lines 10-15, and page 11 line 31 thru page 13 line 5). 

As per Claim 23, the combination of Kraemer and WO 97/26734 discloses the 
device as set forth in Claim 1 1 , wherein said means for deriving a cipher key is further 
adapted to repeatedly derive a cipher key such that the resulting cipher key changes 
overtime (see WO 97/26734 page 8 lines 10-15, and page 11 line 31 thru page 13 line 
5). 

As per Claim 24, the combination of Kraemer and WO 97/26734 discloses the 
bastion host as set forth in Claim 16, wherein said the bastion host is further operable to 
repeatedly derive a cipher key such that the resulting cipher key changes over time (see 
WO 97/26734 page 8 lines 10-15, and page 11 line 31 thru page 13 line 5). 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Tamara Teslovich whose telephone number is (571) 
272-4241. The examiner can normally be reached on Mon-Fri 8-4:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on (571) 272-3865. The fax phone 
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number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 




EMMANUEL L. MOISE 
SUPERVISORY PATENT EXAMINER 




